Requirements for Transfers Abroad
Controllers or processors may transfer personal data abroad if the legislation of the relevant state or international body guarantees an adequate level of protection. EU and EEA member states are considered to provide the required adequate level of data protection for data pertaining to individuals.
The current and the revised FADP provides that personal data may not be disclosed abroad if this would seriously endanger the personality of the persons concerned. Such a serious threat to the personality rights of the data subject may arise if the exporting state does not have legislation that guarantees an adequate level of data protection. For non-EU and EEA countries, it is necessary to check on a case-by-case basis whether they provide an adequate level of data protection. For example, neither US federal law nor the laws of any US state are considered to provide an adequate level of data protection. The current and the revised FADP contains provisions on how the required protection is to be guaranteed when data is transferred abroad to a state that does not offer the same level of data protection as Switzerland does.
Thus, at least one of the following conditions must be fulfilled under the revised FADP:
- an international treaty;
- data protection provisions of a contract between the controller or the processor and its contracting partner, which were communicated beforehand to the FDPIC;
- specific safeguards prepared by the competent federal body and communicated beforehand to the FDPIC;
- standard data protection clauses previously approved, established or recognised by the FDPIC; and
- binding corporate rules on data protection which were previously approved by the FDPIC, or by a foreign authority which is responsible for data protection and belongs to a state which guarantees adequate protection.
The “new” standard contractual clauses (SCCs) published by the EU Commission on 4 June 2021 were also recognised by the FDPIC in its statement of 27 August 2021.
However, in the view of the current FDPIC, the new EU SCCs only allow the disclosure of personal data to states without adequate protection “provided that the necessary adaptations and additions are made for use under Swiss data protection law”. From a Swiss perspective, exporters would therefore have to provide slightly supplemented SCCs (with Swiss supplements).